I'm seeing a new spam varient that is clearly designed to get
past SURBL. It is an HTML message that contains many (50~100)
'invisible' links; links that have no target text, just:
<A href="http://garbage.sitename.tld";></A>
The intention is clear, they want to fill up the 20 'slots' of
the spamcop_uri_limit with their junk links so the real "payload"
URL can slip past unchecked. That's playing a statistical game,
there's a 1 in 20 chance of the "payload" getting picked by the
randomizer but that means that 95% slip by.
To add insult to injury, they're tossing in random "\r" (ASCII-CR)
characters into the "payload" hostname to try to break spamassasin's
URI parsing.
Is it time to create rules to penalize large numbers of 'invisible'
links?
The one thing that has me worried is that people may just start
cranking up the spamcop_uri_limit value to do a brute-force response
to this trash (or have a simple-minded client that doesn't have
that kind of limit). This will add an ever-increasing load on the
SURBL dns servers. I'm already seeing a steady-state average of
130 queries/second against my two servers (with spikes in the 150~175)
range. The trend has been a steady increase (passed the 100 Q/S mark
last fall).
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
